ewido 3.5 - possible false positives?

ewido 3.5 scan reveals:

c:\program files\grisoft\avg free\avgemc.exe
Heuristic.Win32.Dialer

The above file is the email scanner of the grisoft's AVG. So im assuming this must be an fp. Bit surprising others with AVG have not seen this?!?

c:\program files\isp\aol\comps\coach\aolcinst.exe/data\player\aolnysev.exe
Heuristic.Win32.Hijacker1

The above file, is one of those files most pc's have, that come preinstalled with their machine. Its an isp installation file which i have never used, since aol is not my isp. I really should just erase this directory

I uploaded both files to virustotal & jottis online scanners respectively both reported the files where clean.

Could someone confirm these are fp's and will be fixed next update?

Thanks in advance
noobie1kenobi

PS
I have temporarily disabled the avgemc plugin, until i know better!

 

The AVG fp has already been fixed, could you please send the "aolcinst.exe" to submit@ewido.net? thx

 

Ok, file submitted

Do you mean AVG FP fixed in todays update?

Because I downloaded todays update and i am still getting the AVG FP!

Or do you mean it's fixed for the next update release?

thx
noobie1kenobi

 

I've had what I think is a false positive called heuristic.Win32.Dialer associated with the AOL 9.0 file called acsd.exe - that's the AOL Connectivity Service. I've sent the file to Ewido, but no reply yet. The following scanners say the file is clean. Pest Control, Ad-Aware, SpyBot S&D, AVG, online Trend Spyware check.

I have uninstalled AOL and deleted the directory containing the file. After that, Ewido 3.5 runs a clear scan. Then I reinstalled AOL from a clean source and repeated a scan, and Ewido 3.5 says the heuristic.Win32.Dialer is back. If I remove just the file, Ewido will run a clean scan, but AOL will not work. AOL then offers to rebuild the file, and round and round.

It sure sounds like a false positive to me, but I'll wait until I hear more from Ewido.

Chex

 

It will probably be added tomorrow, i have never had a reply to a submitted file, but they are usually added in the next day or two.

 

Well a new sig update for ewido 3.5 was released today. This update does not resolve, either of the false positives, i reported in my earlier post!

Fish25 you reported the AVG FP had been fixed. But using the latest sigs, i still get the AVG FP that i reported earlier.

The file i submitted is also still flagged as malware. Then again, i did not expect that to be fixed by the next update.

However, i expected the AVG fp to be fixed, since fish stated it had!!!!!

What's going on?

noobie1kenobi

 

What signature files do you have? Have you really got the latest updates? All known false positives (including yours) have been fixed.

 

This is what i've got:
threats in database: 168.260
version of database: #1322

Should i uninstall, reinstall ewido 3.5 then update again?

 

Strange... Could you perhaps zip the entire ewido folder and send it to support@ewido.net? Many thanks! Also a sample false positive would be nice

 

I think i can explain why noobie is still seeing FP's even after an update.

If you update sigs via manual updates you will see this problem.

This is because manual updates only contain sig dat files.

The other important file changes that were made automatically are not downloaded.

So the heuristic file that was updated in automatic updates, will not be updated in a manual update. So you will still see the FP's even tho you have updated sigs!!

I found this out while comparing automatic and manual updates!!!

Noobie, simply resintall and use the automatic updates not the manual updates. Hope this helps.

IMO manual updates are useless because only sig dats are updated. Other important updated files are not included. So if you have any fp's they won't get fixed by a manual update.

Is this correct fish?

hawkster

 

Thanks hawkster.

Yes, initially i had to do a manual update. Not sure whether it was a server problem or firewall setup but couldn't autoupdate.

Anyway, i reinstalled ewido and this time autoupdate worked.

Voila! No more FP's

As for the files updated, your right!

Several files not updated manually, were updated by the autoupdate. Including a heuristic file, which was probably what was giving me my FP's.

It seems in a manual update only sigs are updated. Other files updated by the autoprocess are not included in manual updates.

Which like you said, kind of renders manual updates as useless, unless you couldn't care about the heuristics feature.

Fish, will ewido be including the relevant updated files, not just the sig dat files, in future manual updates?

Five non-sig dat files were updated by the autoupdate including sigs but were not done so by a manual update!!!

If not, people for whatever reason, updating manually will find that they will still get FP's they got before.

My suggestion in this case is not to use heuristics if you manually update!
Thanks again
noobie1kenobi

 

Manual update from inside the program != manual signature update by using the files from our website

The manual update from within the program does the same as the automatic update does.

 

Sorry fish, I wasn't clear.

What i meant was, I used the updates installer, which i downloaded from the website from the link below.

http://www.ewido.net/en/download/updates/

Then ran the installer on my machine. This installer only updated the sig dat files and not any of the other important files needed. Which was why, i was still getting FPs.

When i did this, with the integrated manual update, the sig files AND the non-sig files were updated.

Will the installer of sigs, that you download from the above link, include the other updated non-sig files needed in the future?

Shall i state on here, which files the downloaded installer, does not update?

These non-sig files need to be included with the sigs in the installer, otherwise its not the same as the integrated manual update.

Thanks
noobie

 

I just downloaded and tested the new Ewido. I had the following false positives:

I "ignored" them manually.

The first is part of pcAnywhere (and was a Heuristic check, obviously).

The second, nc.exe, is Netcat, a command-line utility for file transfers. "Netcat, dubbed the TCP/IP 'Swiss Army knife', is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol."

 

Yeah here's my FP's

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:22:44 PM, 7/10/2005
+ Report-Checksum: 70E5C8B2

+ Scan result:

C:\downloads\Games\risk.zip/risk.exe -> Worm.Franvir : Ignored
C:\Unzipped\Risk\risk.exe -> Worm.Franvir : Ignored


::Report End

I'm going to send these to ewido to make sure they are FP's. From all the other scans I done they seem to be.

 

I ran a full system scan and it seems to have scanned my 2nd hard drive which has Windows ME on it and it says

F:\WINDOWS\tmpcpyis.bat is Backdoor.AcidShiver

That's a detection on Win ME not XP, but I think it is a FP nonetheless. Not sure if it matters to Fish because it was on Win ME. I scanned it with many other scanners and uploaded it to KAV and it was clean.

 

Neither PCanywhere nor Netcat should be counted as false positives I think. I personally would appreciate detection of such tools.

If you use such tools, fine. Just ignore. For most people the presence of such proggies is a big red flag.

 

For your information, I still can confirm the false positive:

C:\Program Files\Common Files\AOL\ACS\acsd.exe -> Heuristic.Win32.Dialer : Cleaned with backup

has not been fixed.

Thanks for your help, Ewido team!

 

It has been fixed, at least the two acsd.exe we got aren't detected anymore. Could you please send us your acsd.exe?

 

The most current heuristic.dat is now included in the updatepacks available on our website.

 

Does the most current heuristic.dat file have to be downloaded seperately or will my automatic updates on Ewido 3.5 Pro automatically download it? If it has to be downloaded separately, could you give us the URL for the download because I'm having a hard time finding it on your site.

Thanks

 

Automatic

 

Found 1 possible false positive while did a Complete System Scan with the default settings more scan every file...

 

The false positive was fixed...

Thanks

 

Yes, they are quite fast in fixing the Heuristic false positives.